MacAdmin 101: The root user account
An issue that can pop up for new Mac admins is whether or not to enable the root account on the Macs in your environment. By default, the root account on OS X and macOS is a disabled account with the following settings:
Display name: System Administrator
Account name: root
Home directory: /var/root
User shell: /bin/sh
The root account is the superuser for a Unix-style operating system like OS X and macOS and Unix is designed to let the root account have total access to everything. When asking what root can do on a system, it may be better to ask what root cannot do because that list is very, very short. Because the root account has enormous power on a Unix system, you may believe that enabling the root account and using it for your system administration tasks is a no-brainer.
In fact, the opposite is the case: It’s better to leave the root account disabled and not use it for system administration.
Why should you avoid logging into the root account and running tasks from there?
- Mistakes happen – When logged in as the root account, you have total access to the system and anything you run while logged in as root will just happen. That also means you can do a lot of damage if you make a mistake.
- Malware and software bugs – Being logged in as the root account means that all the applications you’re using are running with the root account’s privileges. That means every vulnerability and bug in those applications can potentially cause havoc on your system because anything that’s executing an undesired behavior or exploiting a vulnerability in a particular application is doing so using the root account’s rights to go anywhere and do anything on your system.
- Auditing: If multiple people are logging into the root account and using it for system administration, that means that the account in question isn’t necessarily tied to a single person and actions taken while logged into the root account aren’t necessarily logged. That makes it harder to figure out after the fact who did what if there’s a problem.
- It’s not necessary: The sudo command line tool is available and installed by default on both OS X and macOS. sudo is a Unix program which allows a user with the correct sudo rights to execute a command using the security privileges of another user account, with the root account’s security privileges being used by default.
Using sudo is safer than using the root account for the following reasons:
- Nobody needs to know the root account’s password – sudo prompts for the current user’s password and will check to see if the user which is trying to use sudo has the necessary rights for sudo to run the requested commands with root privileges.
- The granting of root privileges is temporary – By default, sudo will time out after fifteen minutes and will require re-authentication before running commands again.
- Only those commands run via sudo are using root privileges – Only the commands run using sudo will be run with root privileges. Meanwhile, commands run without sudo are being run without root privileges, which reduces the potential for damage from making a mistake.
- sudo use is logged – When a command is executed using sudo, the command and the account which used sudo to run it are logged. Likewise, unsuccessful attempts to run commands with sudo are also logged. This provides an easy way to look up which commands were run and who ran them.
For more information on using sudo, see below the jump.
By default, all user accounts with admin rights on both OS X and macOS have full rights to use the sudo tool. What this means is that any user with admin rights can run commands using the root account’s security privileges without needing to be logged in as the root user. To run commands with the root account’s privileges while logged in as a user with admin rights on OS X or macOS, you would add sudo before the rest of your command in Terminal.
For example, you can use the procedure shown below if you want to check the current date by running the date command with root privileges:
1. Open Terminal
2. Run the command shown below:
3. Authenticate with your account’s password when prompted.
Once the account’s password has been provided and sudo has verified that the account in question has the necessary sudo rights, the command should run.
If this is the first time that sudo has been run for this account, you will receive a warning similar to that shown below in addition to being prompted for your password.
If sudo checks and finds that an account does not have the necessary rights, the user is notified that the attempt will be reported and the command is not run.
To check to see which commands have been run with sudo, you can check the relevant log. On OS X El Capitan, successful and unsuccessful use of sudo is logged to the following location:
This log can viewed in the Console application, available in /Applications/Utilities.
Please see below for examples of successful and unsuccessful sudo use being logged.
System Integrity Protection and the root account:
One other issue to be aware of is that on OS X El Capitan and later, the root account itself has had its power limited by Apple’s System Integrity Protection (SIP). SIP is an overall security policy with the goal of preventing system files and processes from being modified by third parties. Among other goals, it is designed to limit the power of root and to protect the system even from the superuser. For more information about SIP and how it works, please see the link below: